# service ipsec start Starting pluto IKE daemon for IPsec: . [ OK ] # service ipsec status pluto (pid 23914) is running... IPsec connections: loaded 3, active 1
3.4、在控制台上的防火墙添加 ipsec vpn 所用的端口
两边开启UDP 端口500,4500
3.4 测试udp端口
1 2 3 4
nc -vuz 58.22.123.82 500 Connection to 58.22.123.82 500 port [udp/isakmp] succeeded! nc -vuz 58.22.123.82 4500 Connection to 58.22.123.82 4500 port [udp/isakmp] succeeded!
# ipsec verify Verifying installed system and configuration files
Version check and ipsec on-path [OK] Libreswan 3.15 (netkey) on 2.6.32-431.1.2.0.1.el6.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED]
五、配置服务
5.1 配置认证 key(所有为 ipsec vpn server 的主机)
1 2 3 4 5 6
# vim /etc/ipsec.secrets ##include /etc/ipsec.d/*.secrets
# basic configuration config setup # which IPsec stack to use, "netkey" (the default), "klips" or "mast". # For MacOSX use "bsd" protostack=netkey //使用2.6内核内建模块netkey,2.6以下是KLIPS模块 nat_traversal=yes //nat穿透 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 dumpdir=/var/run/pluto/ logfile=/var/log/pluto.log //log location include /etc/ipsec.d/*.conf
010 "sample" #2: STATE_QUICK_I1: retransmission; will wait 20s for response 010 "sample" #2: STATE_QUICK_I1: retransmission; will wait 40s for response